Last updated: March 18, 2026
Agent event data: Halt captures tool calls, LLM requests, messages, and lifecycle events from your OpenClaw agents via the Halt plugin. This data powers monitoring, alerting, rule evaluation, and anomaly detection.
Account data: Email address, name (via GitHub OAuth or email magic link), and billing information (via Stripe).
Usage data: Dashboard interactions and feedback submitted through the in-app widget.
Auto-kill configuration: For each agent, Halt stores your auto-kill settings (enabled/disabled, violation threshold, detection window). Violation logs tracking rule breaches that trigger auto-kill are maintained in your workspace and are subject to the same retention policy as event data.
Before any event data leaves your agent, the Halt plugin automatically redacts sensitive information using 25+ built-in patterns: API keys, passwords, tokens, SSH keys, AWS credentials, database connection strings, and OAuth tokens. Raw secrets are never transmitted to or stored on Halt servers. You can add custom redaction patterns in your plugin configuration.
Anonymized data sharing is opt-in and off by default. If enabled, only aggregate patterns are shared (rule trigger frequencies, common tool names, anomaly score distributions). This data may be used to power collective intelligence features such as shared anomaly baselines, community rule libraries, and model improvements. We never share raw events, message content, file contents, or agent outputs. You can toggle this anytime in Settings.
Halt does not sell, rent, or trade personal data to third parties.
We share the minimum data necessary with the following services:
If we add or change AI providers or other sub-processors, we will update this policy and notify users via email or dashboard notification.
The /demo page does not require login and does not access any real agent data. When you run a demo scenario, your scenario selection and rule configuration are sent to OpenAI to generate simulated agent events. No personal data, real agent events, or account information is included in demo requests. Demo activity is not stored on Halt servers and is not used for model training.
GitHub OAuth: We request only your email address. We do not access your repositories, code, or any other GitHub data. You can revoke access anytime in GitHub Settings > Applications.
Email magic links: Single-use login tokens are emailed via Resend, expire after 24 hours, and are deleted after use.
Event data is retained based on your plan:
Account data is retained while your account is active. After account deletion, all data is permanently removed within 30 days.
Landing page analytics (see below) are retained for 30 days.
All users: You can access, correct, export, or delete your data from Settings at any time.
EU users (GDPR): You have the right to access, correct, delete, port, and restrict processing of your data. You may opt out of AI-powered features and lodge a complaint with your data protection authority.
California users (CCPA): You have the right to know what data is collected, request deletion, and opt out of data sharing. Halt does not sell personal data.
To exercise these rights, email privacy@halt.dev. We respond within 45 days.
We employ industry-standard protections: encryption in transit (TLS), API keys hashed with bcrypt, role-based access control, automatic secret redaction before storage, and regular security reviews. While we implement reasonable safeguards, no system is 100% secure.
For important limitations on kill switch and auto-kill functionality, please see our Terms of Service (Section 3).
Report security vulnerabilities to security@halt.dev. We will acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.
Halt does not use cookies for tracking, profiling, or marketing. Cookies are used only for session management (login tokens). No third-party analytics or tracking pixels are loaded.
Landing page analytics: Halt collects anonymous page view data on the marketing site (halt.dev) including page path, referrer URL, and inferred country (via request headers). This data is stored in our own database, is not linked to user accounts, and is used solely to understand traffic patterns. No browsing history, device fingerprints, or personal identifiers are collected. Analytics data is retained for 30 days and is not shared with third parties.
We may update this policy from time to time. Material changes will be communicated via email or dashboard notification.
Questions about privacy? Email privacy@halt.dev.